ALERT: Update Microsoft products for critical vulnerabilities
Wednesday, March 13, 2019
This information was sent to U-M IT staff groups via email on March 13, 2019. It is intended for U-M IT staff who are responsible for university computers that run any of the Microsoft products listed below, which include Microsoft Windows, Microsoft Office, Internet Explorer, Edge, and more.
Summary
Multiple vulnerabilities have been discovered in Microsoft products, several of which could allow for remote code execution or privilege escalation. Updates to address these vulnerabilities are available from Microsoft. These updates should be applied immediately after appropriate testing.
Problem
Microsoft has announced numerous new security vulnerabilities across multiple Microsoft products. Successful exploitation of the most severe of these could result in an attacker gaining the same privileges as the logged on user or remotely executing malicious code without user interaction. Microsoft has provided updates to address all of the vulnerabilities. These should be applied as soon as possible after appropriate testing.
Threats
News reports indicate that two elevation of privilege vulnerabilities in Windows are being actively exploited in the wild, in some cases these attacks also exploit a Chrome vulnerability to execute arbitrary code. Successful exploitation allows remote attackers to execute arbitrary code with admin privileges on targeted computers after the attacker was able to cause remote code execution through some other means. Several other vulnerabilities patched by this month’s Microsoft updates do allow remote code execution without user interaction or existing access to the system by the attacker.
Affected Systems
- Adobe Flash Player
- Internet Explorer
- Microsoft Edge
- Microsoft Windows
- Microsoft Office and Microsoft Office SharePoint
- ChakraCore
- Team Foundation Server
- Skype for Business
- Visual Studio
- NuGet
Action Items
Apply updates provided by Microsoft immediately after appropriate testing. See Microsoft's links to updates at March 2019 software updates.
How We Protect U-M
This communication is being sent to those across the university who manage machines with Microsoft software on them.
Information Assurance (IA) works closely with others in Information Technology Services (ITS) and U-M units to ensure timely patching of systems.
IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.
IA provides vulnerability management guidance to the university.
Information for Users
MiWorkspace machines will be patched as soon as possible and will need to be restarted when prompted to ensure all updates have been applied. If you have Microsoft Office, Microsoft Windows, or any of the other products listed in this alert installed on your own devices that are not managed by the university, please check for available updates and install them immediately. We recommend that you set your software to update automatically whenever possible.
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.
References
- The fourth horseman: CVE-2019-0797 vulnerability (Kaspersky Lab, 3/13/19)
- Threat Groups SandCat, FruityArmor Exploiting Microsoft Win32k Flaw (Threatpost, 3/13/19)
- Microsoft Releases Patches for 64 Flaws — Two Under Active Attack (The Hacker News, 3/12/19)
- Microsoft March Patch Tuesday comes with fixes for two Windows zero-days (ZDNet, 3/12/19)
- Microsoft Security Update Guide (Microsoft, 3/12/19)
- IA Alert: Update Google Chrome for critical vulnerability (Safe Computing, 3/7/19)